The Top 10 Operational Impacts of the EU s General Data Protection Regulation

Size: px
Start display at page:

Download "The Top 10 Operational Impacts of the EU s General Data Protection Regulation"

Transcription

1 The Top 10 Operational Impacts of the EU s General Data Protection Regulation IAPP - International Association of Privacy Professionals

2 The Top 10 Operational Impacts of the EU s General Data Protection Regulation The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/EC, effective May 25, The GDPR is directly applicable in each Member State and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force. With new obligations on such matters as data subject consent, data anonymization, breach notification, cross-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens data to undertake major operational reform. In this 10-part series, IAPP Research Director Rita Heimes, CIPP/US, and Westin Research Fellows Gabriel Maldoff, CIPP/US, and Anna Myers, CIPP/US, explore the major issues with which organizations will have to grapple as they bring themselves into compliance with the world s most impactful privacy law.

3 Table of Contents Chapter 1: Data Security and Breach Notification Standards p. 4 Chapter 2: The Mandatory DPO p. 7 Chapter 3: Data Subject Consent p. 9 Chapter 4: Cross-border Data Transfers: Adequacy and Beyond p. 13 Chapter 5: Profiling and the Right To Object p. 19 Chapter 6: The New Rights To Be Forgotten and to Data Portability p. 23 Chapter 7: Clarifying Duties and Responsibilities of Controllers and Processors p. 27 Chapter 8: Pseudonymization of Personal Data p. 31 Chapter 9: Codes of Conduct and Certifications p. 36 Chapter 10: Complex Administrative Procedures and Hefty Fines p. 44 3

4 1 Data Security and Breach Notification Standards Data security plays a prominent role in the GDPR, reflecting its symbiotic relationship with modern comprehensive privacy regimes. Compared to Directive 95/46/EC, the GDPR imposes stricter obligations on data processors and controllers with regard to data security while simultaneously offering more guidance on appropriate security standards. The GDPR also adopts for the first time specific breach notification guidelines. Security of data processing standards The GDPR separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide sufficient guarantees to implement appropriate technical and organizational measures to meet the GDPR s requirements and protect data subjects rights. Processors must also take all measures required by Article 32, which delineates the GDPR s security of processing standards. Under Article 32, similarly to the Directive s Article 17, controllers and processors are required to implement appropriate technical and organizational measures taking into account the state of the art and the costs of implementation and the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Unlike the Directive, however, the GDPR provides specific suggestions for what kinds of security actions might be considered appropriate to the risk, including: The pseudonymisation and encryption of personal data. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Controllers and processors that adhere to either an approved code of conduct or an approved certification mechanism as described in Article 40 and Article 42, respectively may use these tools to demonstrate compliance with the GDPR s security standards. 4

5 For additional guidance on security standards, controllers and processors may consider the Recitals, in particular Recitals 49 and 71, which allow for processing of personal data in ways that may otherwise be improper when necessary to ensure network security and reliability. Personal data breach notification standards Unlike the Directive, which was silent on the issue of data breach, the GDPR contains a definition of personal data breach, and notification requirements to both the supervisory authority and affected data subjects. Personal data is defined in both the Directive and the GDPR as any information relating to an identified or identifiable natural person ( data subject ). Under the GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. This broad definition differs from that of most U.S. state data breach laws, for example, which typically are triggered only upon exposure of information that can lead to fraud or identity theft, such as financial account information. In the event of a personal data breach, data controllers must notify the supervisory authority competent in accordance with Article 55, which is most likely (looking to Article 56(1)) the supervisory authority of the Member State where the controller has its main establishment or only establishment, although this is not entirely clear. Notice must be provided without undue delay and, where feasible, not later than 72 hours after having become aware of it. If notification is not made within 72 hours, the controller must provide a reasoned justification for the delay. Notice must be provided without undue delay and, where feasible, not later than 72 hours after having become aware of it. Article 33(1) contains a key exception to the supervisory authority notification requirement: Notice is not required if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, a phrase that will no doubt offer data protection officers and their outside counsel opportunities to debate the necessity of notification. A notification to the authority must at least : (1) describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected; (2) provide the data protection officer s contact information; (3) describe the likely consequences of the personal data breach ; and (4) describe how the controller proposes to address the breach, including any mitigation efforts. If not all information is available at once, it may be provided in phases. 5

6 When a data processor experiences a personal data breach, it must notify the controller but otherwise has no other notification or reporting obligation under the GDPR. If the controller has determined that the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, it must also communicate information regarding the personal data breach to the affected data subjects. Under Article 34, this must be done without undue delay. The GDPR provides exceptions to this additional requirement to notify data subjects in the following circumstances: (1) the controller has implemented appropriate technical and organizational protection measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption ; (2) the controller takes actions subsequent to the personal data breach to ensure that the high risk to the rights and freedoms of data subjects is unlikely to materialize; or (3) when notification to each data subject would involve disproportionate effort, in which case alternative communication measures may be used. Assuming the controller has notified the appropriate supervisory authority (commonly known as a data protection authority or DPA) of a personal data breach, its discretion to notify data subjects is limited by the DPA s ability, under Article 34(4), to require notification or conversely to determine it is unnecessary under the circumstances. Harmonization Data breach notification law is possibly most mature in the U.S., relative to other nations and regions. There, reasonable security standards are still being defined and nearly every U.S. state has a different breach notification law, which has led to some consternation among privacy professionals. The GDPR s uniform application across EU Member States should at least provide predictability and thus efficiencies to controllers and processors seeking to establish compliant data security regimes and breach notification procedures across the entirety of the 28 Member States. Nonetheless, the GDPR s reference to a competent supervisory authority suggests notification may need to be made to more than one supervisory authority depending on the circumstances, and the ambiguity of a number of terms such as undue delay, likelihood of risk to rights and freedoms, and disproportionate effort all remain to be further clarified and defined in practice. 6

7 2 The Mandatory DPO A huge number of data controllers and processors alike must designate a data protection officer to comply with the GDPR. Under Article 37, data protection officers must be appointed for all public authorities, and where the core activities of the controller or the processor involve regular and systematic monitoring of data subjects on a large scale or where the entity conducts large scale processing of special categories of data (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like, defined in Article 9). Although an early draft of the GDPR limited mandatory data protection officer appointment to companies with more than 250 employees, the final version has no such restriction. Article 37 does not establish the precise credentials data protection officers must carry, but does require that they have expert knowledge of data protection law and practices. The GDPR s recitals suggest the level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. The data protection officer s tasks are also delineated in Article 39 of the Regulation to include: Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws. Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits. Advising with regard to data protection impact assessments when required under Article 35. Working and cooperating with the controller s or processor s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data. Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights. These responsibilities mirror those of privacy professionals elsewhere around the globe and signal a growth spurt for the profession in the EU. In fact, the GDPR borrows some concepts from Germany s Federal Data Protection Act, which already requires a data protection officer to 7

8 be appointed by firms with at least nine people employed in the automated processing of personal data, or at least 20 people who are engaged in non automated data processing. Under German law, data protection officers must be suitably qualified and are protected against dismissal except for severe breach of their duties. Many firms out-source the data protection officer responsibilities to specialized agencies or law firms. Failure to comply with Germany s compulsory data protection officer requirements can lead to significant fines. Under the Regulation, moreover, data protection officers have many rights in addition to their responsibilities. They may insist upon company resources to fulfill their job functions and for their own ongoing training. They must have access to the company s data processing personnel and operations, significant independence in the performance of their roles, and a direct reporting line to the highest management level of the company. Data protection officers are expressly granted significant independence in their job functions and may perform other tasks and duties provided these do not create conflicts of interest. Job security is another perk; the GDPR expressly prevents dismissal or penalty of the data protection officer for performance of her tasks and places no limitation on the length of this tenure. The GDPR expressly prevents dismissal or penalty of the data protection officer for performance of her tasks. A company with multiple subsidiaries (a group of undertakings ) may appoint a single data protection officer so long as she is easily accessible from each establishment. The GDPR also allows the data protection officer functions to be performed by either an employee of the controller or processor or by a third-party service provider, creating opportunities for consulting and legal firms to offer outside DPO services. Regardless of who fills these roles both inside and outside of the EU, there ought to be considerable competition for talented and trained DPOs. The IAPP recently released a study showing demand for at least 28,000 data protection officers by the spring of

9 3 Data Subject Consent Consent remains a lawful basis to transfer personal data under the GDPR; however, the definition of consent is significantly restricted. Where Directive 95/46/EC allowed controllers to rely on implicit and opt-out consent in some circumstances, the GDPR requires the data subject to signal agreement by a statement or a clear affirmative action. The new law maintains the distinct requirements for processing special categories of personal data that were present in the Directive, but it expands the range of what is included in those special categories. Finally, the GDPR introduces restrictions on the ability of children to consent to data processing without parental authorization. This chapter addresses each of these GDPR consent provisions in turn. GDPR mandates affirmative consent for data processing Under the GDPR, consent must be freely given, specific, informed and unambiguous. There was uncertainty leading up to this final draft whether the EU would settle on unambiguous consent as required by the Directive, or the higher standard of explicit consent. The final draft has staked out a middle position, on the one hand opting for unambiguous consent, while on the other hand requiring such consent to be expressed by a statement or by a clear affirmative action. Recital 32 clarifies that an affirmative action signaling consent may include ticking a box on a website, choosing technical settings for information society services, or another statement or conduct that clearly indicates assent to the processing. Silence, pre-ticked boxes or inactivity, however, is presumed inadequate to confer consent. The GDPR, therefore, creates additional hurdles for consent over what was required by the Directive. As interpreted by the Article 29 Working Party s Opinion 15/2011 on the definition of consent, the Directive required the controller to provide accurate and full information on all relevant issues, including the nature of the data that will be processed, the purposes of processing, the identity of the controller, and the identity of any other recipients of the data. Consent had to be specific to the processing operations and the controller could not request open-ended or blanket consent to cover future processing. Significantly, while consent could be satisfied by an express statement, it also could be inferred from an action or inaction in circumstances where the action or inaction clearly signified consent. Thus, the Directive left open the possibility of opt-out consent. The GDPR removes that possibility by requiring the data subject to make a statement or clear affirmative action. In particular, the GDPR includes three additional requirements: First, Article 7(3) of the GDPR gives data subjects the right to withdraw consent at any time and it shall be as easy to withdraw consent as to give it. Controllers must inform data subjects of the right to withdraw before consent is given. Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing. 9

10 Second, in Recital 43, the GDPR adds a presumption that consent is not freely given if there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority. Importantly, a controller may not make a service conditional upon consent, unless the processing is necessary for the service. Third, the GDPR adds that consent must be specific to each data processing operation. To meet the specificity requirement under Article 7, a request for consent to data processing must be clearly distinguishable from any other matters in a written document, and it must be provided in an intelligible and easily accessible form, using clear and plain language. However, the law exempts controllers from obtaining consent for subsequent processing operations if the operations are compatible. Recital 50 states that compatibility is determined by looking at factors including the link between the processing purposes, the reasonable expectations of the data subject, the nature and consequences of further processing, and the existence of appropriate safeguards for the data. Importantly, a controller may not make a service conditional upon consent, unless the processing is necessary for the service. Under Article 5(1)(b), additional processing for archiving in the public interest (as defined by the Member State), statistical purposes, or scientific and historical research generally will be considered compatible, and, therefore, exempt from specific consent. These exceptions are potentially quite broad. Where they apply, under Article 89 controllers will not have to erase or rectify data after the data subject has withdrawn consent. The exceptions also impact restrictions on processing, data portability and the data subject s rights to object to and to be notified of processing operations. (The broader contours of these exceptions are discussed in an article on How GDPR changes the rules for research. ) Although the GDPR removes the possibility of opt-out consent by forbidding silence, inactivity, and pre-ticked boxes as a means of providing consent, Recital 32 states that the data subject may consent by choosing technical settings for information society services. It remains to be seen how this provision will be interpreted, but the language may leave intact the provisions of the e-privacy Directive relating to cookies and other tracking technologies. Specifically, Article 5(3) of that Directive states that, generally, a data subject must provide specific, informed consent to the use of cookies or comparable tracking technology. However, Recital 66 provides an exception where cookies are strictly necessary for the legitimate purpose of enabling the use of a specific service requested by the subscriber or user. It also provides that the user s consent to processing may be expressed by using the appropriate settings of a browser or other application. Under the Article 29 Working Party s interpretation of this provision, the browser settings exception applies only 10

11 if the browser s default rejects the placement of cookies, thereby requiring the user to actively opt-in to receiving cookies. This interpretation may accord with the GDPR s language requiring a clear affirmative action. Whenever a controller relies on consent as a basis for processing, under Article 7(1), the controller bears the burden of demonstrating that consent was obtained lawfully according to the principles above. GDPR requires explicit consent for special categories of personal data GDPR Article 9 requires a higher level of consent explicit consent for the processing of special categories of personal data. These special categories relate to personal data that are particularly sensitive in relation to fundamental rights and freedoms and, therefore, merit specific protection. They include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person s sex life or sexual orientation. The standard for explicit consent likely remains the same as under Directive 95/46/EC, which also required controllers to obtain explicit consent for processing special categories of personal data. Under the Directive, the Article 29 Working Party defined explicit consent as all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing. Thus, a user s conduct or choice of browser settings probably will not be sufficient to meet this high bar. The GDPR also allows Member States to enact laws that restrict the processing of some categories of data even if the data subject explicitly consents. The only distinction between the Directive and the GDPR on this issue is that the GDPR expands the definition of sensitive data to include genetic data, biometric data (in some cases), and data concerning sexual orientation. Genetic data is defined, under Article 4, as personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. Biometric data is personal data that identifies an individual based on the specific technical processing of the individual s physical or behavioral characteristics. Recital 51 notes that photographs will qualify as biometric data only when they are processed through a specific technical means allowing the unique identification or authentication of a natural person. GDPR requires parental consent for processing children s personal data In Article 8, the GDPR introduces specific protections for children by limiting their ability to consent to data processing without parental authorization. Previous drafts of the Regulation set 11

12 the age of consent at 13 years old, which would have been consistent with the age of consent set by the Children s Online Privacy Protection Act (COPPA) in the U.S. However, a last-minute proposal aimed to raise the age of consent to 16 years old. After the last round of trilogue negotiations, the final draft opted for the age of consent to be set at 16 years, but it allows Member States to set a lower age not below 13 years. Thus, unless otherwise provided by Member State law, controllers must obtain the consent of a parent or guardian when processing the personal data of a child under the age of 16. They also must make reasonable efforts to verify that a parent or guardian has provided the appropriate consent. Differing rules on the age of consent in EU Member States, as well as between the EU standard and the COPPA age 13 rule applicable in the U.S., could create significant challenges for companies that offer international services. It is unclear whether Member States will act together on this issue. At this time, at least one Member State, the U.K., has vowed to lower its age of consent to 13. Other Provisions Consent features in a variety of other sections of the Regulation. For example, under the right to erasure, in Article 17, the data subject has the right to have the controller erase her data if she withdraws consent and the processing had been based on her consent. Under Article 18, where the data subject exercises her right to restrict data processing, the controller may only continue to process the data if it obtains the data subject s consent or if processing is necessary for a legal claim. Article 20 grants the data subject the right to receive all the personal data about her in the controller s possession where the processing is based on her consent. In these circumstances, the required level of consent is unambiguous consent. The GDPR requires the data subject s explicit consent in two other circumstances. Under Article 22, controllers need to obtain explicit consent to make decisions about the data subject based solely on automated processing, including profiling, when the processing produces legal effects or similarly significantly affects the data subject. Controllers also must seek explicit consent, under Article 49, to authorize transfers of personal data to countries that do not provide an adequate level of protection, if no other transfer mechanism is in place. Penalties The GDPR provides for two different levels of administrative penalties. Some violations are subject to fines up to 10,000,000 EUR or up to two percent of global annual turnover, while for other violations, those maximums are doubled to 20,000,000 EUR or 4 percent of global turnover. Violation of the rules around consent generally subject controllers to the higher level of fines, but violations of the rules concerning age of consent are subject to the lower level of penalties. 12

13 4 Cross-border Data Transfers: Adequacy and Beyond The GDPR permits personal data transfers outside of the EU subject to compliance with set conditions, including conditions for onward transfer. Similar to the framework set forth in the Directive, the GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an adequate level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-eu states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs). Derogations are also permitted under limited additional circumstances. Important distinctions between the GDPR and the Directive bear noting, however. In particular, the GDPR explicitly acknowledges as valid the current requirements for BCRs for controllers and processors, which will be helpful for data transfers involving those Member States that do not as yet recognize BCRs. Standard contractual clauses, which prior to the GDPR required prior notice to and approval by data protection authorities, may now be used without such prior approval. Further, a newly introduced scheme in Article 42 allows for transfers based upon certifications, provided that binding and enforceable commitments are made by the controller or processor to apply the appropriate safeguards. In addition to facilitating international data transfers through new mechanisms, the GDPR also makes clear that it is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country. It also imposes hefty monetary fines for transfers in violation of the Regulation. Transfers with an adequacy decision Chapter V of the GDPR (Articles 44 through 49) governs cross-border transfers of personal data. Article 45 states the conditions for transfers with an adequacy decision; Article 46 sets forth the conditions for transfers by way of appropriate safeguards in the absence of an adequacy decision; Article 47 sets the conditions for transfers by way of binding corporate rules; Article 48 addresses situations in which a foreign tribunal or administrative body has ordered transfer not otherwise permitted by the GDPR; and Article 49 states the conditions for derogations for specific situations in the absence of an adequacy decision or appropriate safeguards. These articles mirror the data controller s or processor s menu choices for GDPR-compliant personal data transfers in descending order of preference and likely in ascending order of expense. In other words, only if data is transferred to a country not deemed adequate does the controller or processor turn to the other options. 13

14 Under the Directive, only approved third countries were appropriate to receive personal data transfers outside the Member States. The GDPR allows transfers not only to third countries, but also to a territory or a specified sector within a third country, or to an international organization, provided they have been awarded the Commission s adequacy designation. Once the Commission confers (or retracts) an adequacy designation, the decision binds all EU Member States. The Schrems case (C-362/14) raised the bar required for an adequacy decision to essential equivalence. Recital 104 confirms that a Commission adequacy decision means that the third country or specified entity ensures an adequate level of protection essentially equivalent to that ensured within the [European] Union. The Commission considers myriad factors in determining adequacy, including the specific processing activities, access to justice, international human rights norms, the general and sectoral law of the country, legislation concerning public security, defense and national security, public order, and criminal law. Transfers to an adequate third country or entity may take place without further authorization by the Commission or Member States. Adequacy decisions are also subject to periodic review, at least every four years, to determine whether the third country or entity still ensures an adequate level of data protection (Article 45(3)). In the periodic review, the Commission consults with the third country of entity, considers relevant developments and information from other relevant sources such as the findings of the European Parliament or Council (Recital 106). Transfers by way of appropriate safeguards Similar to the Directive, the GDPR provides mechanisms for cross-border data transfers in the absence of an adequacy designation if the controller or processor utilizes certain safeguards. Under Article 46, appropriate safeguards include: Legally binding and enforceable instrument between public authorities or bodies. Binding corporate rules in accordance with Article 47. Standard data protection contractual clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2). Standard data protection contractual clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2). 14

15 An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects rights. An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects rights. Standard data protection contractual clauses Changes to the requirements for standard data protection contractual clauses reduce their administrative burden. Under the GDPR, these clauses do not require prior authorization of supervisory authorities and such clauses can be adopted by the European Commission as well as by national supervisory authorities. Existing standard contract clauses may remain valid, but the GDPR leaves open the possibility of their repeal. Ad hoc contractual clauses may also be used for GDPR compliance, although they must receive prior supervisory authority approval and thus are potentially a less attractive option for controllers. Codes of conduct and certification mechanisms In Article 46, the GDPR lists two new appropriate safeguards codes of conduct and certification mechanisms that have general application to both controllers and processors. Codes of conduct resemble the self-regulatory programs used elsewhere to demonstrate to regulators and consumers that a company adheres to certain information privacy standards. Under the GDPR, such codes may be prepared by associations or other bodies representing controllers or processors, and may be drawn up to address many aspects of the GDPR including international data transfers. Adherence to these codes of conduct by controllers or processors not otherwise subject to the Regulation, but involved in the transfer of personal data outside the EU, will help a regulated controller demonstrate adequate safeguards. Draft codes of conducts must be submitted to the appropriate supervisory authority for approval pursuant to Article 40. An accredited and competent body may, under Article 41, monitor compliance with a code of conduct. Changes to the requirements for standard data protection contractual clauses reduce their administrative burden. 15

16 Data protection certification, seals, and marks may be developed, ideally at the Union level, to demonstrate a controller s or processor s adherence to certain standards. Like codes of conduct, certification is available to controllers and processors outside the EU provided they demonstrate, by contractual or other legal binding instruments, their willingness to adhere to the mandated data protection safeguards. As further described in Articles 42 and 43, the certification mechanisms, seals, and marks require further action by the European Data Protection Board, which may develop a common European Data Protection Seal and which will also be responsible for publishing information about certification registrants in a common and publicly available directory. BCR-specific provisions The GDPR unlike the Directive explicitly lists BCRs as an appropriate safeguard in Article 46 and provides detailed conditions for transfers by way of BCRs in Article 47. Those provisions specify that BCRs require approval from a supervisory authority in accordance with the consistency mechanism in Article 63 and govern what must be included in BCRs at a minimum, such as structure and contact details for the concerned group, information about the data and transfer processes, how the rules apply general data protection principles, complaint procedures, and compliance mechanisms. BCRs are a favored mechanism in practice because of their flexibility, and their lower administrative burden once implemented. Article 4(20) and Recital 110 also allow a corporate group or group of enterprises engaged in joint economic activity to use the same BCR structure for international data transfers. Derogations for specific situations Article 49 sets out the derogations or exceptions from the GDPR prohibition on transferring personal data outside the EU without adequate protections. The derogations generally parallel those in the Directive along with a new derogation for acceptable transfers for the compelling legitimate interests of the controller. The derogations apply when: The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards. The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject s request. 16

17 The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person. The transfer is necessary for important reasons of public interest. The transfer is necessary for the establishment, exercise or defence of legal claims. The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent. The transfer is made from a register that, according to EU or Member State law, is intended to provide information to the public and that is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case. A final derogation allows for the greatest flexibility but also, like the GDPR regime generally, requires careful and consistent internal documentation. It provides that where a transfer could not be based on standard contractual clauses, BCRs, or any of the other derogations, a transfer to a third country or an international organization may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. Such language is subject to broad interpretation by the data controller and regulators alike, suggesting data protection officers and supervisory authorities should work together to develop examples that will guide controllers in their documentation and decision-making. From unambiguous to explicit consent In these derogations above, the GDPR shifted from the Directive s unambiguous consent to a higher standard of explicit consent. Unambiguous consent allows the data subject to express her wishes either by a statement or by a clear affirmative action (Article 4(11)). The standard for explicit consent, which likely carries over the definition applied under the Directive, requires a data subject to respond actively to the question, orally or in writing as defined the Article 29 working party. 17

18 Notice Pursuant to Article 13, controllers must provide certain information to data subjects when their information is obtained. This explicitly includes (a) that the controller intends to transfer personal data to a third country or international organization; and (b) that such transfer is pursuant to an adequacy decision by the Commission; or (c) reference to the appropriate or suitable safeguards and the means for the data subject to obtain them. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and as otherwise required by Article 12. Monetary fines Perhaps one of the most significant implications of the GDPR is that, unlike under the Directive, failure to comply with the GDPR s international data transfer provisions may result in hefty fines. Violations of the data transfer provisions in Articles are subject to the steeper of the two administrative fine provisions in the GDPR. Such violations may result in administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. Under Article 83(2), the factors considered for imposing this fine include the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct, and any other aggravating or mitigating factor. Editor s Note: This piece was informed in part by a training created by Wilson Sonsini Partner and Brussels Privacy Hub Co-Chair Chrtistopher Kuner for the IAPP s GDPR Comprehensive program held in Brussels, in February

19 5 Profiling and the Right to Object Since the Directive was implemented nearly 20 years ago, technologies have proliferated that allow data controllers to gather personal data and analyze it for a variety of purposes, including drawing conclusions about data subjects and potentially taking action in response to those conclusions such as target marketing, price differentiation, and the like. Although the concepts of profiling or target marketing appear in the Directive, the precise terms do not. In its sweeping efforts to define and enhance data subjects rights to control their personal data, the GDPR contains many restrictions on automated data processing and decisions based upon such processing to the extent they can be characterized as profiling. Definition of profiling A hotly contested provision of the GDPR, the profiling restrictions ultimately adopted were narrower than initially proposed. Under Article 4(4), data processing may be characterized as profiling when it involves (a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person. Specific examples include analyzing or predicting aspects concerning that natural person s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. This definition implicitly excludes data processing that is not automated. Further elaboration of this definition may be found in Recital 24, where the GDPR establishes its jurisdiction over non-eu controllers provided they are monitoring the behaviour of [EU] data subjects as far as their behaviour takes places within the Union. Processing activity involves data subject monitoring when natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes. This definition suggests that profiling is not equivalent to tracking, but instead is something more, involving the intention to take decisions regarding a data subject or predict the subject s behaviors and preferences. That profiling requires some sort of an outcome or action resulting from the data processing is underscored by the data subject s rights to be informed of the consequences of profiling decisions as discussed in Recitals 60 and 63. Articles 13 and 15, which address information to be provided a data subject upon personal data collection and upon the data subject s request, both require disclosure of the existence of automated decision-making, including profiling along with the significance and the envisaged consequences of such processing for the data subject. 19

20 Recital 70 clarifies that data subjects may object to processing for direct marketing as well as to profiling to the extent that it is related to direct marketing, further underscoring that profiling is not direct marketing per se but instead is something more. Finally, Recital 91 describes the obligation to conduct a data impact assessment and characterizes the profiling of data as follows: A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data. Accordingly, taking all of the definitions and discussions of profiling together, they seem to consistently require not simply the gathering of personal data involving personal aspects of natural persons, but the automated processing of such data for the purpose of making decisions about the data subjects. Controllers must honor data subjects rights regarding profiling Data subjects are entitled under the GDPR to a number of rights with regard to profiling, some of which like notice and access require procedures similar to non-profiling data processing, but others of which like the right to object, halt the profiling, and avoid profiling-based decisions will require special attention and processes for compliance. Restrictions on profiling-based decisions producing legal effects Pursuant to Article 22(1) of the GDPR, data subjects have a right not necessarily to avoid profiling itself (e.g. automated processing of personal data for the purpose of making a decision), but rather to avoid being subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly signifi c a n t l y a f f e c t s h i m o r h e r. Re c i t a l 7 1 provides as examples the automatic refusal of an on-line credit application or e-recruiting practices without any human intervention. Data subjects are entitled under the GDPR to a number of rights with regard to profiling, some of which will require special attention and processes for compliance. 20

21 Article 22(2) clarifies that the decision may nonetheless be made provided it is (a) necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject s rights and freedoms and legitimate interests; or (c) based on the data subject s explicit consent. Suitable safeguards may include anonymization or pseudonymization as components of profiling-based activities. In the case of a decision made pursuant to a contract with the data subject or his explicit consent, the controller must still allow the data subject to contest the decision under Article 22(3). When data is transferred pursuant to binding corporate rules, such BCRs must specify the rights of data subjects in regard to the processing of their personal data and the means to exercise these rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22. Article 22(4) provides that profiling-based decisions shall not be based on special categories of personal data (e.g. racial, ethnic, or religious information) unless (a) the data subject has given explicit consent to the processing of the personal data for one or more specified purposes, except where prohibited by Union law or Member State law; or (b) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law. Even in these circumstances, described more fully in Article 9(2)(a) and (g), the controller must still ensure suitable measures to safeguard the data subject s rights and freedoms and legitimate interests are in place. Presumably the European Data Protection Board will provide additional guidance on the circumstances under which profiling-based decisions are permissible for special categories of personal data. For all permissible profiling, Recital 71 compels a controller to use appropriate mathematical or statistical procedures, implement technical and organisational measures to correct personal data inaccuracies and avoid errors, secure all personal data, and minimize the risk of discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status, or sexual orientation. Notice and access In the case of profiling decisions subject to Article 22, Article 13 provides that the controller must inform a data subject at the time data is collected not only of the fact that profiling will occur, but as well the logic involved and the envisaged consequences of such processing. Under Article 15, a data subject may also inquire of a controller and receive confirmation of any such processing, including profiling and its consequences, at any time. 21

22 Processing must cease upon data subject s objection Even when profiling is otherwise lawful, a data subject has the right to object at any time. Pursuant to Article 21, upon the data subject s objection to profiling that is otherwise authorized under Article 6, the processing must cease unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject. When processing is for direct marketing purposes, including profiling, the data subject similarly has a right to object but in this case processing must cease and the controller is not authorized to continue under any circumstances. Data impact assessments for controllers engaged in profiling One of the triggers requiring a data impact assessment is when a controller engages in a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person. Parsing this language (in Article 35(3)(a)) once again demonstrates that profiling involves more than merely automated processing, and that profiling may or may not involve decisions that produce legal effects or significantly affect an individual, but, when it does, the data subject is entitled to many additional rights and remedies. Controllers will undoubtedly be seeking additional guidance from the European Data Protection Board to determine what automated data processing activities fall within the definition of profiling, and what profiling activities may fall outside the purview of Article 22. Data subjects, on the other hand, will benefit from a broader interpretation of profiling activities in order to be able to avoid profiling-based decisions even those to which they have given prior explicit consent. 22

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT WHAT GDPR MEANS FOR RECORDS MANAGEMENT Presented by: Sabrina Guenther Frigo Overview Background Basic Principles Scope Lawful Processing Data Subjects Rights Accountability & Governance Data Transfers

More information

EU GENERAL DATA PROTECTION REGULATION

EU GENERAL DATA PROTECTION REGULATION EU GENERAL DATA PROTECTION REGULATION GENERAL INFORMATION DOCUMENT This resource aims to provide a general factsheet to Asia Pacific Privacy Authorities (APPA) members, in order to understand the basic

More information

GDPR: What Every MSP Needs to Know

GDPR: What Every MSP Needs to Know Robert J. Scott GDPR: What Every MSP Needs to Know Speaker Robert J. Scott Agenda Purpose GDPR Intent & Obligations Applicability Subject-matter and objectives Material scope Territorial scope New Rights

More information

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents Company Name: Document DP3 Topic: ( the Company ) Data Protection Policy Data Protection Date: April 2018 Version: 001 Contents Introduction Definitions Data processing under the Data Protection Laws 1.

More information

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents Company Name: Document: Topic: System People ( the Company ) Data Protection Policy Data protection Date: 28/4/2018 Version: 1 Contents Introduction Definitions Data processing under the Data Protection

More information

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER 1 What will the GDPR mean for your business/organisation? On the 25 th May 2018,

More information

General Personal Data Protection Policy

General Personal Data Protection Policy General Personal Data Protection Policy Contents 1. Scope, Purpose and Users...4 2. Reference Documents...4 3. Definitions...5 4. Basic Principles Regarding Personal Data Processing...6 4.1 Lawfulness,

More information

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes 1 INTRODUCTION The General Data Protection Regulation (GDPR) comes into force in all EU Member States on 25.

More information

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak PROFESSIONAL INDEPENDENT ADVISERS LTD DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Training Manual Data Protection Officer is Mike Bandurak GDPR introduction

More information

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company ) RSD Technology Limited - Data protection policy: Introduction Company Name: Document DP3 Topic: RSD Technology Limited ( the Company ) Data Protection Policy Data protection Date: 25 th May 2018 Version:

More information

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations Page 1 of 22 Your business and the new data protection laws Data protection and privacy

More information

Introduction to the General Data Protection Regulation (GDPR)

Introduction to the General Data Protection Regulation (GDPR) Introduction to the General Data Protection Regulation (GDPR) #CIPR / @CIPR_UK This guide is worth 5 CPD points Introduction to the General Data Protection Regulation (GDPR) / 2 Contents 1 Introduction

More information

GDPR Webinar 1: Overview of Preparing for the GDPR. T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop.

GDPR Webinar 1: Overview of Preparing for the GDPR. T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop. Webinar 1: Overview of Preparing for the T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop peter.blenkinsop@dbr.com Agenda Introduction (5 mins) Level setting: Brief overview of main provisions

More information

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law. Buzescu Ca>Romanian Business Law>Romanian Data Protection Laws 12. ROMANIAN DATA PROTECTION LEGAL REGIME Updated October 2018 The relevant Romanian data protection laws are: European Regulation no. 679

More information

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*) THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*) The first IBM Personal Computer was introduced just over 35 years ago, on August 12, 1981. The first-generation iphone was introduced in the

More information

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02] CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR Legal02#67236978v1[RXD02] CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR Notes: We recommend that any business looking to comply with the

More information

GENERAL DATA PROTECTION REGULATION Guidance Notes

GENERAL DATA PROTECTION REGULATION Guidance Notes GENERAL DATA PROTECTION REGULATION Guidance Notes What is the GDPR? Currently, the law on data protection requiring the handling of data which identifies people to be done in a fair way, is contained in

More information

Preparing for the GDPR

Preparing for the GDPR Preparing for the GDPR Note: These slides and the accompanying presentation contain a general summary and are not legal advice. Niall Rooney 03/11/2017 (1) Data Protection The Right to Data Protection

More information

Nissa Consultancy Ltd Data Protection Policy

Nissa Consultancy Ltd Data Protection Policy Nissa Consultancy Ltd Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments (DPIA)

More information

The New EU General Data Protection Regulation 1

The New EU General Data Protection Regulation 1 The New EU General Data Protection Regulation 1 Dear clients and friends, On 14 April 2016 the EU Parliament formally approved the General Data Protection Regulation ( the Regulation ). The Regulation

More information

EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1

EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1 EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1 The EU General Data Protection Regulation (GDPR), which replaces Directive 95/46/EC

More information

WSGR Getting Ready for the GDPR Series

WSGR Getting Ready for the GDPR Series WSGR Getting Ready for the GDPR Series Overview, main concepts, principles and obligations Cédric Burton Of Counsel Laura De Boel Senior Associate Christopher Kuner Senior Privacy Counsel WSGR Webinar,

More information

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017 Whitepaper What are the changes regarding data protection in the future General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017 Authors: Prof. Dr. Christoph Bauer, Dr Frank Eickmeier, Dr

More information

Guidance on the General Data Protection Regulation: (1) Getting started

Guidance on the General Data Protection Regulation: (1) Getting started Guidance on the General Data Protection Regulation: (1) Getting started Guidance Note IR03/16 20 th February 2017 Gibraltar Regulatory Authority Information Rights Division 2 nd Floor, Eurotowers 4, 1

More information

P Drive_GDPR_Data Protection Policy_May18_V1. Skills Direct Ltd ( the Company ) Data protection. Date: 21 st May Version: Version 1.

P Drive_GDPR_Data Protection Policy_May18_V1. Skills Direct Ltd ( the Company ) Data protection. Date: 21 st May Version: Version 1. Company Name: Document DP3 Topic: Skills Direct Ltd ( the Company ) Data Protection Policy Data protection Date: 21 st May 2018 Version: Version 1 Contents Introduction Definitions Data processing under

More information

EU General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR) A Brief Overview of the EU General Data Protection Regulation (GDPR) November 2017 What is the GDPR? After several years in the making, on 8 April 2016 the European Council finally adopted Regulation

More information

Data Privacy, Protection and Compliance From the U.S. to Europe and Beyond

Data Privacy, Protection and Compliance From the U.S. to Europe and Beyond Data Privacy, Protection and Compliance From the U.S. to Europe and Beyond InsideNGO's 2017 Annual Conference Washington, DC July 20, 2017 Shannon Yavorsky Partner, Venable LLP David Goodman Global Non-

More information

Brasenose College Data Protection Policy Statement v1.2

Brasenose College Data Protection Policy Statement v1.2 Brasenose College Data Protection Policy Statement v1.2 1. Introduction All documents referred to in this policy can be found online at the address below: https://www.bnc.ox.ac.uk/privacypolicies 1.1 Background

More information

The General Data Protection Regulation An Overview

The General Data Protection Regulation An Overview The General Data Protection Regulation An Overview Published: May 2017 Brunel House, Old Street, St.Helier, Jersey, JE2 3RG Tel: (+44) 1534 716530 Guernsey Information Centre, North Esplanade, St Peter

More information

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry 1 Contents Introduction 5 Brexit: GDPR or New UK Law? 8 The eprivacy Directive 10 The GDPR: 10 Key Areas

More information

Foundation trust membership and GDPR

Foundation trust membership and GDPR 05 April 2018 Foundation trust membership and GDPR In the last few weeks, we have received a number of enquiries from foundation trusts concerned about the implications of the new General Data Protection

More information

closer look at Definitions The General Data Protection Regulation

closer look at Definitions The General Data Protection Regulation A closer look at Definitions The General Data Protection Regulation September 2017 V1 www.inforights.im Important This document is part of a series, produced purely for guidance, and does not constitute

More information

GDPR is coming soon. Are you ready. Steven Ringelberg.

GDPR is coming soon. Are you ready. Steven Ringelberg. GDPR is coming soon. Are you ready. Steven Ringelberg steven@ringelberglaw.com 616 227 6403 Agenda Who am I Overview What data do you have that is covered and where is it? What rights do individual data

More information

GDPR & SMART PIA. Wageningen University Feb 2017

GDPR & SMART PIA. Wageningen University Feb 2017 GDPR & SMART PIA Wageningen University Feb 2017 Tips for Action: Anticipate on the new EU General Data Protection Regulation (GDPR) to determine the privacy standards GDPR has been adopted by EU Parliament

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 17/EN WP 256 Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (updated) Adopted on 29 November 2017 INTRODUCTION

More information

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION REGULATION (GDPR) WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION REGULATION (GDPR) Published by: The

More information

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 1

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 1 Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com A GDPR Primer For U.S.-Based Cos. Handling

More information

Data Protection Policy

Data Protection Policy Data Protection Policy General Data Protection Regulations (GDPR) Document control Version control / history Note: This policy requires to be reviewed at least annually from the publication of the last

More information

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools SCHOOLS DATA PROTECTION POLICY Guidance Notes for Schools Please read this policy carefully and ensure that all spaces highlighted in the document are completed prior to publication. Please ensure that

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY In Zagreb, 25 May 2018 Contents: 1. DEFINITIONS 2. GENERAL PROVISIONS 3. DATA PROTECTION CONTROLLER 4. PRINCIPLES OF DATA PROCESSING 5. LAWFULNESS OF DATA PROCESSING 6. DATA THAT

More information

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make. What is the purpose of this document? NORTHERN IRELAND SCREEN COMMISSION (Company Number NI031997) whose registered office is at 3 rd Floor Alfred House, 21 Alfred Street, Belfast, BT2 8ED is committed

More information

GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES

GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES CERTIFICATION CRITERIA Working draft for public consultation - 29 May 2018 Abstract Document to the attention of organizations that want to obtain

More information

December 28, 2018, New Delhi, INDIA

December 28, 2018, New Delhi, INDIA LexArticle December 28, 2018, New Delhi, INDIA GDPR COMPLIANCES BY INDIAN COMPANIES A BRIEF OVERVIEW GDPR COMPLIANCES BY INDIAN COMPANIES A BRIEF OVERVIEW If you have questions or would like additional

More information

ACADEMIC AFFAIRS COUNCIL ******************************************************************************

ACADEMIC AFFAIRS COUNCIL ****************************************************************************** ACADEMIC AFFAIRS COUNCIL AGENDA ITEM: 4 D (3) DATE: February 21, 2018 ****************************************************************************** SUBJECT EU Data Protection Regulations CONTROLLING STATUTE,

More information

EU General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR) EU General Data Protection Regulation (GDPR) May 23, 2018 Dixie B. Baker, Ph.D. Agenda GDPR Basics Key Changes from Data Protection Directive Special Categories Consent Conditions and Elements HIPAA and

More information

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR General Data Protection Regulation Philippe Roggeband Business Development, Manager, GSSO EMEAR Why should you care? Data Protection, and compliance with the General Data Protection regulation, is NOT

More information

DATA PROTECTION POLICY VERSION 1.0

DATA PROTECTION POLICY VERSION 1.0 VERSION 1.0 1 Department of Education and Skills Last updated 21 May 2018 Table of Contents 1. Introduction... 4 2. Scope & purpose... 4 3. Responsibility for this policy... 5 4. Data protection principles...

More information

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent Policy Document for: Data Protection (GDPR) Approved by Directors: September 2017 Due for Review: September 2020 1. Statement of intent Timu Academy Trust is required to keep and process certain information

More information

Preparing Your Vendor Agreements for the General Data Protection Regulation

Preparing Your Vendor Agreements for the General Data Protection Regulation Preparing Your Vendor Agreements for the General Data Protection Regulation Oliver Yaros Partner - London +44 (0)203 130 3698 oyaros@mayerbrown.com Lei Shen Senior Associate - Chicago +1 312 701 8852 lshen@mayerbrown.com

More information

Data Protection for Landlords. David Smith Anthony Gold Solicitors

Data Protection for Landlords. David Smith Anthony Gold Solicitors Data Protection for Landlords David Smith Anthony Gold Solicitors Why Protect Data at All? Personal data is key important in everyday life Internet allows information about people to be spread quickly

More information

EU General Data Protection Regulation

EU General Data Protection Regulation Guidance note EU General Data Protection Contents Introduction Guidance note aims and structure Summary Data basics Dealing with individuals Governance and risk management Concluding remarks Appendix 1

More information

European Union General Data Protection Regulation 2016 (Effective 25 May 2018)

European Union General Data Protection Regulation 2016 (Effective 25 May 2018) European Union General Data Protection Regulation 2016 (Effective 25 May 2018) European Union General Data Protection Regulation 2016 (Effective 25 May 2018) CONTENTS Why is the GDPR relevant to Hong

More information

ACCENTURE BINDING CORPORATE RULES ( BCR )

ACCENTURE BINDING CORPORATE RULES ( BCR ) ACCENTURE BINDING CORPORATE RULES ( BCR ) EXECUTIVE SUMMARY INTRODUCTION Complying with data privacy laws is part of Accenture s Code of Business Ethics (COBE). In line with our COBE, we implement recognized

More information

Page 1 of 7 Recommendation CM/Rec(2010)13 of the Committee of Ministers to member states on the protection of individuals with regard to automatic processing of personal data in the context of profiling

More information

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey www.nascenta.com GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey Introduction GDPR Key Points GDPR/DPA Differences Start Up, Tech Business Professional Practice?

More information

GDPR - 10 THINGS YOU NEED TO KNOW (US PERSPECTIVE) 1. Privacy and data protection are fundamental rights

GDPR - 10 THINGS YOU NEED TO KNOW (US PERSPECTIVE) 1. Privacy and data protection are fundamental rights GDPR - 10 THINGS YOU NEED TO KNOW (US PERSPECTIVE) 1. Privacy and data protection are fundamental rights Privacy is internationally recognised as a fundamental human right, like the right to free speech

More information

LAST UPDATED June 11, 2018 DATA PROTECTION POLICY. International Foundation for Electoral Systems

LAST UPDATED June 11, 2018 DATA PROTECTION POLICY. International Foundation for Electoral Systems LAST UPDATED June 11, 2018 DATA PROTECTION POLICY International Foundation for Electoral Systems 1. Purpose 1.1. International Foundation for Electoral Systems is committed to complying with privacy and

More information

Data Protection Policy

Data Protection Policy Data Protection Policy This policy will be reviewed by the Trust Board three yearly or amended if there are any changes in legislation before that time. Date of last review: Autumn 2018 Date of next review:

More information

General Data Protection Regulation (GDPR) Frequently Asked Questions

General Data Protection Regulation (GDPR) Frequently Asked Questions General Data Protection Regulation (GDPR) Frequently Asked Questions 26 March 2018 0 Contents Introduction... 3 What is GDPR?... 3 Who does the GDPR apply to?... 3 Are tax advisers data controllers or

More information

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges Cyber Risk 1 GDPR and Canadian organizations: Addressing key challenges The regulation

More information

The GDPR enforcement deadline is looming are you ready?

The GDPR enforcement deadline is looming are you ready? Link to Article The GDPR enforcement deadline is looming are you ready? 1 Compliance Is this relevant to the Wealth Management community is Asia? It is relevant to your business if you have an establishment

More information

TEL: +44 (0)

TEL: +44 (0) EU General Data Protection Regulation FAQs Cordery GDPR Navigator This note is part of the Cordery GDPR Navigator. Technical terms are used in this document which are explained in the glossary. Edition

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version Date Revision Author Summary of Changes 1.0 21 st May 2018 Ashleigh Morrow EXECUTIVE STATEMENT At CASTLEREAGH NURSERY SCHOOL (the School ), we believe privacy is important.

More information

GDPR POLICY. This policy complies with the requirements set out in the GDPR, which will come into effect on

GDPR POLICY. This policy complies with the requirements set out in the GDPR, which will come into effect on GDPR POLICY Sponsors Statement All The Bishop of Winchester Academy policies exist to support the Sponsors vision, Christian ethos and values that are embedded in the day-to-day and long term running of

More information

Privacy Policy & Data Protection

Privacy Policy & Data Protection Introduction Hewett Recruitment are committed to protecting the privacy or our clients, candidates and individuals who access our services and website. This policy applies where we are acting as data controller

More information

FPSS GDPR Data Protection Policy

FPSS GDPR Data Protection Policy GDPR Data Protection Policy Policy reviewed by: Resources Committee Date: 12 th March 2018 Approved by: Resources Committee Date: 12 th March 2018 Minute No: Next review date: Signed on behalf of The Governing

More information

The European Union s General Data

The European Union s General Data The European Union s General Data Protection Regulation Webinar 2 in a series November 14, 2017 Presenters Bret Cohen Partner, Hogan Lovells Julia Funaki Associate Director, AACRAO International Mark McConahay

More information

How employers should comply with GDPR

How employers should comply with GDPR 02 Mind your business Prepare for GDPR How employers should comply with GDPR Recommendations for employer compliance with GDPR The scope of the impact of the GDPR cannot be overstated. The GDPR will impact

More information

General Data Protection Regulation (GDPR) Business Guide

General Data Protection Regulation (GDPR) Business Guide General Data Protection Regulation (GDPR) Business Guide May 2018 LEGAL DISCLAIMER The information contained in this guide is for general guidance purposes only. It should not be taken for, nor is it intended

More information

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction Introduction On April 2016 the European Parliament approved the General Data Protection Regulation (GDPR). This new regulation, with mandatory implementation by Member States (MS) and businesses that have

More information

Personal data: By Personal data we understand all information about identified or identifiable natural ( data subject ) according to GDPR

Personal data: By Personal data we understand all information about identified or identifiable natural ( data subject ) according to GDPR PRINCIPLES OF PERSONAL DATA PROTECTION In these Principles of Personal Data Protection we inform the subjects of data whose personal data we process about all our activities regarding processing and principles

More information

Privacy Policy. To invest significant resources in order to respect your rights in connection with Personal Data about you:

Privacy Policy. To invest significant resources in order to respect your rights in connection with Personal Data about you: Privacy Policy Last updated: May 17, 2018 This is the privacy policy (the Policy ) of the website www.experitest.com (the "Website") operated by Experitest Ltd., of 10 HaGavish St, 4250708 Poleg, Israel

More information

HEAVERS FARM PRIMARY SCHOOL. GDPR Data Protection Policy

HEAVERS FARM PRIMARY SCHOOL. GDPR Data Protection Policy HEAVERS FARM PRIMARY SCHOOL GDPR Data Protection Policy Contents: Statement of intent 1. Legal framework 2. Applicable data 3. Principles 4. Accountability 5. Data protection officer (DPO) 6. Lawful processing

More information

Technical factsheet: General Data Protection Regulation (GDPR) April 2018

Technical factsheet: General Data Protection Regulation (GDPR) April 2018 Technical factsheet: General Data Protection Regulation (GDPR) April 2018 1 1 CONTENTS 1. What is GDPR? 2. How is GDPR different to the old Data Protection Act? 3. Why does it apply to members? 4. What

More information

The General Data Protection Regulation in health & social care. 6 October 2016 Leeds

The General Data Protection Regulation in health & social care. 6 October 2016 Leeds The General Data Protection Regulation in health & social care 6 October 2016 Leeds Session outline 09.05am: Roadmap of the GDPR 10.15am: Coffee break 10.30: GDPR impact: Streetview Employment Rights of

More information

GDPR Factsheet - Key Provisions and steps for Compliance

GDPR Factsheet - Key Provisions and steps for Compliance GDPR Factsheet - Key Provisions and steps for Compliance Organisations in the Leisure & Hospitality industry hold vast amounts of personal data relating to customers, employees, and suppliers as well as

More information

General Data Protection Regulation (GDPR) A brief guide

General Data Protection Regulation (GDPR) A brief guide General Data Protection Regulation (GDPR) A brief guide Document compiled by: Terence Clark & Dr. Nathan Matthews June 2017 Acknowledgements This document contains material from the Information Commissioner

More information

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1 Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1 Bitkom represents more than 2,300 companies in the digital sector, including 1,500 direct members. With more than 700,000 employees,

More information

CANDIDATE DATA PROTECTION STANDARDS

CANDIDATE DATA PROTECTION STANDARDS CANDIDATE DATA PROTECTION STANDARDS I. OBJECTIVE The aim of these Candidate Data Protection Standards ( Standards ) is to provide adequate and consistent safeguards for the handling of candidate data by

More information

A summary of the implications of the General Data Protection Regulations (GDPR)

A summary of the implications of the General Data Protection Regulations (GDPR) Introduction A summary of the implications of the General Data Protection Regulations (GDPR) 1. The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. Various implications

More information

GDPR for Employers DUBLIN / BELFAST / LONDON / NEW YORK / SAN FRANCISCO / PALO ALTO

GDPR for Employers DUBLIN / BELFAST / LONDON / NEW YORK / SAN FRANCISCO / PALO ALTO GDPR for Employers DUBLIN / BELFAST / LONDON / NEW YORK / SAN FRANCISCO / PALO ALTO 1 Consent Things you need to know about consent and the processing of employees data The EU General Data Protection Regulation

More information

Responsible Business Alliance. Data Privacy and GDPR Compliance Policy

Responsible Business Alliance. Data Privacy and GDPR Compliance Policy Responsible Business Alliance Data Privacy and GDPR Compliance Policy 1. INTRODUCTION 1.1 As a global non-profit membership organisation, the Responsible Business Alliance ( RBA ) has a responsibility

More information

KYC & Data Protection: Friends or Foes?

KYC & Data Protection: Friends or Foes? KYC & Data Protection: Friends or Foes? How To Comply with KYC Requirements CREOBis March 28 th, 2017 0 Overview 1. Relationship between DP & KYC Regulations 2. Using Data Beyond KYC Purposes? 3. Supervisory

More information

GDPR factsheet Key provisions and steps for compliance

GDPR factsheet Key provisions and steps for compliance GDPR factsheet Key provisions and steps for compliance Organisations hold vast amounts of personal data relating to customers, employees, and suppliers as well as within marketing databases. Compliance

More information

The Sage quick start guide for businesses

The Sage quick start guide for businesses General Data Protection Regulation (GDPR): The Sage quick start guide for businesses Contents Introduction 3 Infographic: GDPR at a Glance 4 The basics 5 The GDPR in summary 5 Individual rights and informing

More information

GDPR is coming in 108 days: Are you ready?

GDPR is coming in 108 days: Are you ready? Charles-Albert Helleputte Partner, Brussels GDPR is coming in 108 days: Are you ready? Diletta De Cicco Legal Consultant, Brussels 6 February 2018 +32 2 551 5982 chelleputte@mayerbrown.com +32 2 551 5974

More information

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR) The EU General Data Protection Regulation (GDPR) What is the GDPR? The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) was adopted on 27 April,

More information

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you: Ignata Group Data Protection / Privacy Notice What is the purpose of this document? Ignata is committed to protecting the privacy and security of your personal information. This privacy notice describes

More information

General Data Protection Regulation Guide

General Data Protection Regulation Guide General Data Protection Regulation Guide TABLE OF CONTENTS Introduction 1 Scope 2 Legal Bases for Data Processing 3 Rights of Individuals 5 Accountability and Governance Mechanisms 7 Data Processor Obligations

More information

GDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers

GDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate

More information

Getting Ready for the. General Data Protection Regulation GDPR. A Guide by Mason Hayes & Curran. Dublin, London, New York & San Francisco. MHC.

Getting Ready for the. General Data Protection Regulation GDPR. A Guide by Mason Hayes & Curran. Dublin, London, New York & San Francisco. MHC. Getting Ready for the General Data Protection Regulation GDPR 2018 Dublin, London, New York & San Francisco A Guide by Mason Hayes & Curran MHC.ie The contents of this publication are to assist access

More information

ARTICLE 29 Data Protection Working Party

ARTICLE 29 Data Protection Working Party ARTICLE 29 Data Protection Working Party 17/EN WP264 rev.01 Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data Adopted on 11

More information

Preparing for the General Data Protection Regulation (GDPR)

Preparing for the General Data Protection Regulation (GDPR) Preparing for the General Data Protection Regulation (GDPR) ServiceNow Governance, Risk, and Compliance Table of Contents What is the GDPR?...3 Key Requirements for the GDPR...4 Accountability, Policies,

More information

Genera Data Protection Regulation and the Public Sector

Genera Data Protection Regulation and the Public Sector Genera Data Protection Regulation and the Public Sector Tuesday 30 May 2017 @mhclawyers Welcome Edward Gleeson Partner & Head of Public & Administrative Law Mason Hayes & Curran GDPR for Public Bodies

More information

Exploring the Impact of the GDPR on Companies Sponsoring and Managing Global Clinical Research

Exploring the Impact of the GDPR on Companies Sponsoring and Managing Global Clinical Research With an ever-abundant list of important compliance requirements to contend with, life sciences compliance officers have no shortage of challenges. And this year won t offer any reprieve. On May 25, 2018,

More information

The Society of St Stephen s House Site Security and Monitoring Privacy Notice

The Society of St Stephen s House Site Security and Monitoring Privacy Notice This privacy notice applies to data processing activities undertaken by The Society of St Stephen s House for security and monitoring relating to staff, students and visitors to College premises A summary

More information

ECOSERVICES, LLC BINDING CORPORATE RULES

ECOSERVICES, LLC BINDING CORPORATE RULES ECOSERVICES, LLC A. INTRODUCTION EcoServices respects the legitimate privacy interests of the people from whom it Processes Personal Information, such as its managers, officers, employees, contractors,

More information

EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018

EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018 EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018 This document is a broad overview of the GDPR and does not provide legal advice. We urge you to consult with your own

More information

THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE

THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE OCTOBER 2017 EU, COMPETITION, TRADE AND REGULATORY THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE The EU General Data Protection Regulation (GDPR) becomes effective

More information

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY LEICESTER HIGH SCHOOL DATA PROTECTION POLICY 1. Background Data protection is an important legal compliance issue for Leicester High School. During the course of the School's activities it collects, stores

More information